b'                                                             UNITED STATES DEPARTMENT OF COMMERCE\n                                                             The Inspector General\n                                                             Washington, D.C. 20230\n\n\n\n\nMay 20,2013\n\nThe Honorable Lamar Smith\nChairman\nCommittee on Science, Space and Technology\nUnited States House of Representatives\nWashington, DC 205 15-630 I\n\nDear Mr. Chairman:\n\nThis responds to the Committee on Science, Space and Technology\'s letter of November 15,\n2012, in which it was requested we examine issues related to the Department of Commerce\'s\n(DOC) use of personal and/or alias email accounts to conduct official government business.\nPursuant to your request, we conducted an inquiry focused on the following:\n\n   a) Whether it is possible to determine the extent personal email accounts are used by\n      DOC employees to conduct official business.\n   b) Whether DOC has procedures in place to collect, maintain, and access records created\n      by personal or alias email accounts.\n   c) Whether DOC has provided appropriate training for staff related to the use of personal\n      or alias email accounts.\n   d) Whether DOC has reprimanded, counseled, or taken administrative action against any\n      employees for using personal or alias email accounts.\n   e) Whether DOC officials have promoted or encouraged the use of personal or alias\n      emails for conducting official government business.\n\nFor the purposes of this inquiry, "personal email account" is defined as an account established\nwith a commercial internet service provider such as Yahoo!, Gmail, or Hotmail. "Unofficial\nalias email account" is defined as a DOC email account where the name or position of the\naccount holder is not readily apparent. "Official alias account" is defined as a DOC established\nemail account with a clearly identifiable account holder or purpose, such as one using an\nindividual account holder\'s title or a group account holder\'s function.\n\nIn the course of our inquiry, which focused on the Office of the Secretary (OS), National\nOceanic and Atmospheric Administration (NOAA), and the National Institute of Standards and\nTechnology.(NIST), we examined various policies and procedures. We also interviewed senior\nleadership within the Department including: the Acting Secretary of Commerce, the Under\nSecretary of Commerce for Standards and Technology and NIST Director, the then-Under\nSecretary of Commerce for Oceans and Atmosphere and National Oceanic and Atmospheric\nAdministration (NOAA) Administrator, and the Assistant Secretary of Commerce/Deputy\nAdministrator of NOAA (current Acting NOAA Administrator).\n\x0c                                                                                                                    2\n\n\nIn addition, we interviewed the DOC Chief Information Officer (CIO) and other relevant CIO\nstaff from the Department, NIST, and NOAA. We also reviewed relevant training materials\nand information pertaining to personnel action resulting from the use of personal or alias email\nto conduct official business.\n\nOur findings and recommendations are presented below. We are also transmitting these\nresults to the DOC CIO for action and response, as well as to the Acting Secretary of\nCommerce.\n\na. The extent to which personal email accounts are used by DOC employees to conduct\n   official business could not be determined.\n\nWe were unable to determine the extent of personal email use by DOC employees to conduct\nofficial business because DOC does not have the technology, policies, or procedures in place to\nprovide this information.\n\nb. Current DOC policy and procedures regarding the use of personal or alias email\n   accounts for official business is only found in a \'\'Remote Access Policy, and, \xc2\xb7therefore,\n   is not interpreted as a blanket policy.\n\nDOC presently lacks a comprehensive, Department-wide policy prohibiting the use of personal\nemail to conduct official government business. The policies currently in place do not address all\ncircumstances of use of personal email to conduct official business. In addition, DOC, including\nNIST and NOAA, does not have any policy regarding unofficial alias email accounts. The\nCommerce Interim Technical Requirements (CITR)-008: Remote Access Policy, states,\n\n           "When working from a remote location, only DOC-authorized e-mail accounts must be\n           utilized to conduct official business on behalf of the Department. Personal e-mail\n           accounts (e.g. Hotmail, Yahoo, or Gmail) must not be used to conduct official business."\n\nIn addition to this policy, DOC requires all users of network services in the Office of the\nSecretary (OS) 1 to read and sign an "OS Network Rules of Behavior" agreement which states,\n~~I   may not use personal e-mail (e.g. yahoo, gmail, etc... ) to send official DOC business information."\nPer the DOC CIO, users are not granted access to the OS network until this document is read\nand signed.\n\nWhile DOC CIO policy (such as the CITR-008) applies to all DOC operating units and\nbureaus, DOC operating units and bureaus can also implement more stringent policies. For\nexample, NIST has an "IT Resources, Access and Use Policy" that prohibits ~~sending personal\nemail that might be construed by the recipient to be an official communication." NIST\'s "Automatic\nEmail Forwarding Use Policy" prohibits automatic forwarding of email from an employee\'s NIST\n\n1\n This requirement applies to the following OS operating units: Office of Business Liaison, Center for Faith Based\nand Neighborhood Partnerships, Native American Affairs, Office of the Chief Financial Officer and Assistant\nSecretary for Administration, Office of the Chief Information Officer, Office of the Executive Secretariat, Office of\nGeneral Counsel, Office of Legislative and Intergovernmental Affairs, Office of Policy and Strategic Planning, and\nOffice of Public Affairs.\n\x0c                                                                                                    3\n\n\n email account.to andther email account. If an exception is granted under this particular policy,\n storage is required for those emails on NIST\'s server.\n\n The DOC CIO stated his office is drafting a formal DOC-wide policy memorandum referencing\n the existing DOC policies outlined above and incorporating additional language clearly\n forbidding the use of personal email accounts for official business. He stated that during\n Quarter 3, Fiscal Year 20 13, DOC plans to release an enterprise-wide DOC Acceptable Use\n Policy/CITR which will incorporate the proposed policy memorandum and expand on related\n issues, such as prohibiting the forwarding of DOC email to a personal device (e.g., personal\n smartphone).\n\n As stated in section a. above, DOC does not have technology, policies, or procedures in place\n to identify, collect, maintain, or access personal email accounts used to conduct official business.\n\n c. There is a lack of consistent, adequate training regarding the use of personal or alias\n    email accounts for official business.\n\n Because there is not a comprehensive policy regarding the use of personal or alias email\n accounts for official business, we found a corresponding lack of consistent and adequate training\n within the Department. The DOC CIO reported that the training provided by his\xc2\xb7 office does\n not address the use of personal or alias email accounts for official business. DOC Office of\n Human Resources confirmed that there is no formal training on this issue.\n\n Per the NOAA CIO, the NOAA annual IT Security Awareness training previously included\n statements regarding the inappropriateness of employees using personal email accounts for\n official business in a Records Management module. However, NOAA currently does not\n incorporate this particular statement in its training. According to the NOAA CIO, the Records\n Management module was removed in 20 I0 in order to keep the training to a certain length.\n\n d. We identified no record of adverse personnel action resulting from the use of personal\n    or unofficial alias email accounts for official business.\n\n We requested from the DOC Office of Human Resources (in coordination with the Office of\n General Counsel and bureau human resource offices) all records related to any adverse\n personnel action taken against an employee for using personal email or unofficial alias email\n\xc2\xb7accounts to conduct official business. Based on its query, the DOC Office of Human Resources\n reported that it did not locate any records of adverse personnel actions taken because of the\n use of personal or unofficial alias email accounts to conduct official business for the bureaus it\n services, including: the Office of the Secretary, Bureau of Industry and Security, Economic\n Development Administration, International Trade Administration, Minority Business\n Development Agency, and National Telecommunications and Information Administration. NIST\n and NOAA\xc2\xb7 also reported they did not locate any records of adverse personnel actions taken\n because of the use of personal or unofficial alias email accounts to conduct official business.\n\n Based on our review of OIG investigative records, we identified a case where an Economic \n\n Development Administration (EDA) employee used his personal email account to conduct \n\n\x0c                                                                                                 4\n\n\nofficial business. The investigation focused on potential conflicts of interest and appearances of\npreferential treatment for EDA grantees the employee oversaw. During the investigation, OIG\nfound the employee regularly used his personal email account for EDA official business. In June\n2012, we transmitted our report to EDA including that and other findings. We recommended\nthat EDA implement a policy prohibiting employees from using personal email accounts to\nconduct official business; however, EDA did not address this recommendation in its response\ndated September 25., 20 12. EDA ultimately issued a memorandum to the employee advising him\nto not use his personal email to conduct official business.\n\ne. Senior DOC officials have not encouraged the use of personal or unofficial alias email\n   for official business, and have not used personal or unofficial alias email for official\n   business except for incidental instances.\n\nNone of the DOC officials we interviewed were aware of any DOC official promoting or\nencouraging the use of personal or unofficial alias email accounts to conduct official business.\nExcept for incidental instances, the Acting Secretary; the Under Secretary of Commerce for\nStandards and Technology and NIST Director; the then-Under Secretary of Commerce for\nOceans and Atmosphere and NOAA Administrator; and the Assistant Secretary of\nCommerce/Deputy Administrator of NOAA (current Acting NOAA Administrator) all stated\nthey have not used their personal email to conduct official business. As stated below, former\nUnder Secretary of Commerce for Oceans and Atmosphere and NOAA Administrator stated\nshe had a general awareness of a practice by some employees to sometimes use their personal\nemail accounts for official business out of convenience, but that they would copy their official\naccount when doing so.\n\n    I. \t The Acting Secretary informed us that she used her personal email account once on a\n         Saturday after not being able to connect to the DOC email server. She stated the email\n         content consisted of a request to a staff member to schedule a meeting with her first\n         thing on the following Monday morning.\n\n    2. \t The Assistant Secretary of Commerce/Deputy Administrator of NOAA (current Acting\n         NOAA Administrator) identified five emails with a representative from the academic\n         community, with whom she had a long-standing professional relationship, based on a\n         search of her personal email account that discussed NOAA-related matters. We\n         reviewed these emails and determined they were not substantive in nature. The emails\n         consisted of forwards of academic articles, discussions, and presentations of potential\n         interests involving weather, a string of emails while she was out of town as to what\n         phone number was best to reach her on to discuss official business, and an email with a\n         subject line only "eager to see draft declaration." The last was related to a Weather\xc2\xad\n         Ready Nation community dialog, "Sense of Attendees" declaration that came out of the\n         dialog.\n\n    3. \t The former Under Secretary of Commerce for Oceans and Atmosphere and NOAA\n         Administrator stated she was not aware of anyone in DOC or NOAA using personal or\n         alias email accounts for official government business, unless they copied their official\n         NOAA account. She stated as a matter of convenience some NOAA employees email\n\x0c                                                                                                 5\n\n\n       from home on their personal accounts regarding NOAA business, and copy their\n       NOAA accounts anytime they do so. She stated she did not know how widespread this\n       practice was, and she could not recall anyone specifically doing it. She stated she did\n       not know if this practice was acceptable under NOAA policy.\n\nWith regard to unofficial alias email accounts, none of the officials we interviewed were aware\nof any used to conduct official business. Most mentioned official alias email accounts known to\nthem. The Acting Secretary stated she was aware of an email address used by the DOC\nExecutive Secretariat, the office responsible for controlled correspondence,\nThe_Secretary@doc.gov, to send and receive emails. She stated this is the only official alias\nemail account she is aware of, and she does not have access to the account. The DOC CIO and\nstaff stated they were aware of two official alias email accounts: (I) the DOC CIO has a\nDOCCIO@doc.gov account for email from the general public, and (2) the Secretary has a\nThe_Secretary@doc.gov account. The DOC CIO stated he is unaware of any unofficial alias\nemail accounts.\n\nThe NIST Director stated he was aware of an official alias email account at NIST,\nDirector@nist.gov. He stated the account is maintained so a change in leadership does not\ndisrupt an email address used for public inquiry. He stated he has no access to this account,\nbut his Chief of Staff monitors and screens the account for any relevant emails. The NIST CIO\nand staff stated that NIST creates group accounts for functional use (e.g., a group email account\nfor a project team to use). The N 1ST CIO stated, to his knowledge, alias or group email\naccounts have never been created for someone using a name different from that of the actual\nuser and/or position.\n\nThe then-Under Secretary of Commerce for Oceans and Atmosphere and NOAA\nAdministrator stated when she began at NOAA she was inundated with emails to her direct\nNOAA account, so an account was set up within that account using an abbreviation of her\nofficial account address with the idea that high priority emails would go to the subaccount\nwithin her broader account. She stated this subaccount did not help her and was ultimately\nabandoned.\n\nThe NOAA CIO stated the NOAA Administrator had an alternate NOAA email account, with\na variation of her name, but it was linked to her official account (i.e., both email addresses were\nsent to the same Outlook in box). The NOAA CIO stated he was not aware of any unofficial\nalias email accounts.\n\nRecommendations\n\nTo ensure proper records management of all emails containing official business, and to facilitate\ntransparency and oversight, we intend to recommend by separate communication that the\nDOC CIO, in coordination with DOC operating unit/bureau CIOs, take the following actions:\n\nI. Finalize the pending policy revision to ensure the Department has a clear, comprehensive \n\n   policy prohibiting the use of personal email for conducting official business. \n\n\x0c                                                                                                6\n\n\n2. Communicate DOC policies regarding the use of personal emails to all DOC employees,\n   e.g., via initial and annual refresher IT training presentations.\n\nAn identical copy of this letter has been sent to each signatory of the Committee\'s November\n15, 20 12 letter and the Ranking Subcommittee Members.\n\nIf I can answer any questions or be of further assistance, please feel free to contact me or David\nSmith, Deputy Inspector General, at 202-482-4661.\n\nSincerely,\n\n\n~~3--c.,.....\xc2\xad\nTodd J. Zinser\n\ncc: \t Dr. Rebecca Blank, Acting Secretary\n     Cameron Kerry, General Counsel\n     Dr. Kathryn Sullivan, Acting Under Secretary of Commerce for Oceans and Atmosphere\n     and Acting NOAA Administrator\n     Dr. Patrick Gallagher, Under Secretary of Commerce for Standards and Technology and\n     NIST Director\n     Simon Szykman, DOC CIO\n\x0c'